The Department of Health and Human Services Office of Civil Rights (OCR) published its Guidance titled “Guidance on Software Vulnerabilities and Patching”, in its June 2018 newsletter. In this Guidance, OCR stated that “identifying and mitigating the risks unpatched software poses to ePHI is important to ensure the protection of ePHI and in fulfilling HIPAA requirements.”1
Patching is an important security practice. Security standards, such as the NIST CSF and SP-800 series, have long required routine patching. It may come as a surprise that patching is not explicitly required by HIPAA.
However, it should not because the HIPAA regulations were incomplete when they were drafted…20 years ago. Of the Council on CyberSecurity’s top 20 security controls (in order of priority), the top 3 controls are not explicitly required by HIPAA. Compliance does not always equate to security. While Congress or the Administration could add new standards to HIPAA, they seem content to let OCR issue a Guidance saying that current standards implicitly require action. That is what’s happening here.
OCR is saying that patching is implicitly required by HIPAA, and OCR relies on the risk analysis requirement 45 CFR § 164.308(a)(1)(ii)(A) and the risk management requirement 45 CFR § 164.308(a)(1)(ii)(B) to reach this conclusion. “The scope of the risk analysis and risk management processes encompasses the potential risks and vulnerabilities to all ePHI…This includes identifying and mitigating risks and vulnerabilities that unpatched software poses…”1
OCR says that a mitigation activity to reduce the risk of unpatched software to ePHI is to install patches, if reasonable and appropriate.1 OCR recommends patch testing on an isolated system to determine the appropriateness of a new patch before installing a patch on every system.1
In conclusion, we detect no desire in Washington to modernize the HIPAA Security rule to clearly specify the most important best security practices. For now, OCR is on record that it expects software to be patched even though it is not explicitly required in HIPAA. Larger organizations have recognized the importance of patching and have had patching regimens in place for many years. Small physician practices and small health providers that have been reluctant to spend the money on patching are now notified. Patching is necessary for HIPAA compliance. For smaller organizations, we generally recommend that you retain your IT support company to handle the patching for you.